Re: [cryptography] MalwareBytes

2016-06-24 Thread Jason Richards
>> What matters is not the certificate. The certificate is public. >> You can’t “steal" a certificate. >> >> What you *can* steal is the private key associated with a >> certificate, and the more time goes by the more likely it becomes >> that someone has done so. >> >> However, the expiration dat

Re: [cryptography] MalwareBytes

2016-06-24 Thread Seth David Schoen
Ron Garret writes: > The whole idea of an expiration date (rather than an issue date) > on a certificate is a sort of a scam by the CAs to coerce people > into renewing (and hence paying for) their certificates on a regular > schedule. I think some CAs don’t even enforce the use of a new key > whe

Re: [cryptography] MalwareBytes

2016-06-24 Thread Seth David Schoen
John R. Levine writes: > >But all of this is rather a moot point nowadays. Now that letsencrypt is > >live, there is no reason to pay for a cert any more. > > Try getting a let's encrypt cert for your mail server. Or getting an EV > cert. EV certs are definitely not available from Let's Encry

Re: [cryptography] MalwareBytes

2016-06-24 Thread Kevin
Authors of ransomware as a service such as encryptor RaaS steal certificates all the time. On 6/24/2016 2:30 PM, Ron Garret wrote: What matters is not the certificate. The certificate is public. You can’t “steal" a certificate. What you *can* steal is the private key associated with a cert

Re: [cryptography] MalwareBytes

2016-06-24 Thread John R. Levine
EV certs are definitely not available from Let's Encrypt, but you can get a certificate for your mail server by using the DNS challenge type, which just requires you to place a specified record into your DNS zone. While the Certbot client doesn't support this mechanism, several other Let's Encrypt

Re: [cryptography] MalwareBytes

2016-06-24 Thread Jeffrey Walton
On Fri, Jun 24, 2016 at 2:30 PM, Ron Garret wrote: > What matters is not the certificate. The certificate is public. You can’t > “steal" a certificate. > > What you *can* steal is the private key associated with a certificate, and > the more time goes by the more likely it becomes that someone

Re: [cryptography] MalwareBytes

2016-06-24 Thread John R. Levine
But all of this is rather a moot point nowadays. Now that letsencrypt is live, there is no reason to pay for a cert any more. Try getting a let's encrypt cert for your mail server. Or getting an EV cert. R's, John ___ cryptography mailing list cr

Re: [cryptography] MalwareBytes

2016-06-24 Thread Ron Garret
What matters is not the certificate. The certificate is public. You can’t “steal" a certificate. What you *can* steal is the private key associated with a certificate, and the more time goes by the more likely it becomes that someone has done so. However, the expiration date is completely arb

Re: [cryptography] MalwareBytes

2016-06-24 Thread John Levine
In article <576d6d35.3080...@gmail.com> you write: >Do you want to take chances in a world of stolen certificates? Why is this certificate more likely to be stolen today than it was a week ago? It's the same certificate, it hasn't changed. R's, John >On 6/24/2016 11:09 AM, Jason Richards wrote

Re: [cryptography] MalwareBytes

2016-06-24 Thread Kevin
Do you want to take chances in a world of stolen certificates? On 6/24/2016 11:09 AM, Jason Richards wrote: I just downloaded the new MBAM installer. Its certificate expired 6/19/2016. Should I just ignore that fact? I wouldn't ignore it at all. The certificate that signed the code expired?

Re: [cryptography] MalwareBytes

2016-06-24 Thread Jason Richards
>> I just downloaded the new MBAM installer. >> >> Its certificate expired 6/19/2016. >> >> Should I just ignore that fact? > > I wouldn't ignore it at all. The certificate that signed the code expired? If the certificate was valid when the code was signed then there should be no issues. Nothing

Re: [cryptography] MalwareBytes

2016-06-21 Thread Kevin
I wouldn't ignore it at all. On 6/21/2016 1:25 PM, rv...@insightbb.com wrote: I just downloaded the new MBAM installer. Its certificate expired 6/19/2016. Should I just ignore that fact? ___ cryptography mailing list cryptography@randombit.net http:

[cryptography] MalwareBytes

2016-06-21 Thread rvh40
I just downloaded the new MBAM installer. Its certificate expired 6/19/2016. Should I just ignore that fact? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography